Patterns of thought: the psychology of weak passwords

In this article, I look at why webmasters, site administrators and their users choose and use weak passwords. Later, I recommend ways to create passwords that are reliable and resistant to brute-force attacks.

Warnings that the internet is increasingly an unsafe environment appear with alarming regularity in studies commissioned by companies specializing in information security. The growing number of web attacks and the increasing activity of the hacker community require a new discipline and focus on security.

But while cybersecurity experts are talking about high technology and advanced protection, it seems a rudimentary rule has been forgotten: the use of strong passwords. Unreliable passwords are a common cause of compromised corporate and retail systems. The 2015 study by Trustwave said that more than a quarter of security incidents happen because of weak passwords. Their list of the top ten business passwords is shown below.

From my own experience in the field of information security, I agree that the problem of weak passwords on system administration sites and hosting accounts is important.

We All Think Alike

Let's play a popular game. Without thinking too much, name the first thing that comes into your mind for each of the following:

A fruit

Part of the face

A Shakespearean character

A flower

A country

​I bet your answers were apple, nose, Macbeth, rose and whatever country you're from or in right now. I'm sure I got at least one right, the idea being to show the predictability of human thinking.

When a system asks a user to create a password for an account or to register on a site, the user is often thinking stereotypically. Under pressure to complete the registration, a password ends up being a common word combination. This template of human thinking is what hackers rely on when they try to guess passwords in their attempts to get into different web services.

Of course, they have help in the form of scripts and programs. These can sort out thousands of combinations in seconds, allowing them to choose from lists like the one shown above, just much longer. A program can easily calculate passwords consisting of a single word, or the most popular combinations of words and numbers.

The WordPress hosting firm WPEngine.com analyzed a database of 10 million compromised passwords collected by Mark Burnett over 15 years from publicly available sources. From those data, the top 50 most popular passwords were extracted, and are reproduced below.

You can see that, when creating passwords, people think not about security but about being able to remember them. Certain key combinations have become popular among people who want to remember their passwords but haven't thought about the security implications.

Password are nearly always chosen and typed on a computer keyboard. (You can see some hint of that in the sample combinations above.) Such passwords are easy to remember and can be mechanically repeated. At some point, people began to think that adding numbers to the ends of passwords makes them stronger. But it doesn't, at least not much. Around 420,000 of the 10,000,000 sample passwords ended in numbers between 0 and 99. Almost every fifth password had added the single digit '1'.

All You Need is Love (and Someone's Name)

To the surprise of researchers, one of the most popular words used in passwords was 'love'. Separately and in combination, the word was seen 40,000 times in a 10,000,000 password sample. Interestingly, the word 'love' is much more likely to appear in the passwords of younger generations, and females use it more often than males. According to a study by the University of Ontario's Institute of Technology, iloveplus a combination of a man's name occurred four times more frequently than ilovewith a woman's name.

Rules for a Better Password

Here is my list of rules to help you improve the security of your passwords.

Make it Longer. Cybersecurity experts say a password should be at least 10 characters long. According to the Trustwave 2015 study, an 8 character password can be guessed in one day by hackers with the right tools. But a password of 10 or more characters will take several months to crack with the same tools.

Make it Varied. A password should contain different characters, such as upper and lowercase letters, numbers, and symbols. Including them creates the least vulnerable passwords when generated at random. Using popular names, proper names, birth dates, or phone numbers in passwords makes them easy for intruders to crack using brute-force techniques.

Change it Often. You can never be completely sure that your current password has not been previously intercepted by an attacker. Frequent password changes reduce the risk that someone other than yourself has access to confidential information.

One System, One Password. Often, web administrators use the same password to log into different systems. In security terms, this means that an attacker knows enough to intercept a password and make a comprehensive data compromise. Always use different passwords to access different systems.

Don't Rely on Memory. It is nice to think we can remember all our passwords, but not all users are good with mnemonics, and memory can fade with time. There are more comfortable and modern ways to store passwords, for example, using secure password managers.

Beware Password Auto-Save. Some places should not be used to store passwords. For example, web browsers, unencrypted keychains, or FTP managers. Auto-saving passwords in this way makes them prey to hackers or Trojans.

Virtual Keyboard. If possible, do not enter passwords using a physical keyboard, but instead use a virtual keyboard, a software program that emulates a keyboard and accepts input with a mouse. These protect against 'keyloggers', programs that record keystrokes or mouse clicks and transmit them to hackers.

Restrict Admin Rights. Site owners often need the help of outside experts, and need to give them administrative access to make their jobs easier. This is an unsafe practice. Each specialist should have an individual account so you can track what actions they did. After completion of their work, change their passwords or remove their accounts.

Secure Networks. It is common to need to solve business issues while connecting to a network in public places. However, working in open Wi-Fi networks—cafes, shopping centers or airports—carries the risk of having your sensitive data intercepted with applications such as traffic analyzers (sniffers). A secure VPN connection should be used in such situations.

Secure Protocols. Working with unencrypted traffic can be the beginning of the end. Nowadays, intercepting and examining unprotected traffic and extracting personal data is easy for 'script-kiddies', young people with little or no technical knowledge, but with access to easily available off-the-shelf tools, and a motivation to use them to steal or inflict damage. For online communication, such as sending and receiving email, or sending data via FTP, you should always use a secure channel for your connections (i.e. SSL, TLS, HTTPS).

Two-Factor Authentication. A good way to improve the security of sensitive data and enhance access control is by using two-factor authentication. Under this system, a login operation is confirmed via a separate confirmation code on a mobile app or dedicated hardware device. Two-factor authentication is a reliable insurance against illegal access by hackers. Even if a fraudster can intercept a password, they cannot use it.

Conclusion

In today's digital reality, any lapse in your focus on information security issues is fraught with sad consequences. Even small troubles are likely to bring site owners a complete loss of control over web resources. It's time to think about improving your business protection in the online environment and audit the security of your sites. And you can start with a simple thing—check your passwords now!